Process plugins - Introduce SSADetector process plugin

Author: Zainullin Damir

src/plugins/process/ssaDetector/CMakeLists.txt

@@ -1,17 +1,24 @@
 project(ipfixprobe-process-ssadetector VERSION 1.0.0 DESCRIPTION "ipfixprobe-process-ssadetector plugin")
 
 add_library(ipfixprobe-process-ssadetector MODULE
-	src/ssadetector.cpp
-	src/ssadetector.hpp
+	src/ssaDetector.cpp
+	src/ssaDetector.hpp
+	src/ssaDetectorContext.hpp
+	src/ssaDetectorFields.hpp
+	src/packetStorage.hpp
 )
 
 set_target_properties(ipfixprobe-process-ssadetector PROPERTIES
 	CXX_VISIBILITY_PRESET hidden
 	VISIBILITY_INLINES_HIDDEN YES
 )
 
-target_include_directories(ipfixprobe-process-ssadetector PRIVATE
+target_include_directories(ipfixprobe-process-ssadetector PRIVATE 
 	${CMAKE_SOURCE_DIR}/include/
+	${CMAKE_SOURCE_DIR}/include/ipfixprobe/processPlugin
+	${CMAKE_SOURCE_DIR}/include/ipfixprobe/pluginFactory
+	${CMAKE_SOURCE_DIR}/src/plugins/process/common
+	${adaptmon_SOURCE_DIR}/lib/include/public/
 )
 
 if(ENABLE_NEMEA)

src/plugins/process/ssaDetector/README.md

@@ -0,0 +1,31 @@
+# SSADetector Plugin
+
+Analyzes connections to identify encrypted tunnels.
+
+## Features
+
+- Calculates and exports confidence that given flow is a tunnel.
+- Detection is base on identification of encrypted TCP syn-synack-ack tuples.
+
+## Output Fields
+
+| Field Name       | Data Type | Description                                                     |
+| ---------------- | --------- | --------------------------------------------------------------- |
+| `SSA_CONF_LEVEL` | `uint8_t` | Confidence that given flow is a tunnel as a percentage (0-100). |
+
+## Usage
+
+### YAML Configuration
+
+Add the plugin to your ipfixprobe YAML configuration:
+
+```yaml
+process_plugins:
+  - ssadetector
+```
+
+### CLI Usage
+
+You can also enable the plugin directly from the command line:
+
+`ipfixprobe -p ssadetector ...`

src/plugins/process/ssaDetector/src/packetStorage.hpp

@@ -0,0 +1,76 @@
+/**
+ * @file packetStorage.hpp
+ * @brief Declaration of PacketStorage class for SSA Detector plugin.
+ * @author Damir Zainullin <[email protected]>
+ * @date 2025
+ *
+ * @copyright Copyright (c) 2025 CESNET, z.s.p.o.
+ */
+
+#pragma once
+
+#include <array>
+#include <chrono>
+#include <cstddef>
+#include <vector>
+
+#include <amon/types/Timestamp.hpp>
+#include <directionalField.hpp>
+#include <timestamp.hpp>
+
+namespace ipxp::process::ssaDetector {
+
+/**
+ * @class PacketStorage
+ * @brief Stores timestamps of packets categorized by their lengths and directions.
+ * This class is used in the SSA Detector plugin to track packet timings
+ * for different packet sizes and directions.
+ */
+class PacketStorage {
+public:
+	constexpr static std::size_t MIN_PACKET_SIZE = 60;
+	constexpr static std::size_t MAX_PACKET_SIZE = 150;
+	constexpr static std::size_t MAX_PACKET_TIMEDIFF_NS
+		= std::chrono::duration_cast<std::chrono::nanoseconds>(std::chrono::seconds(3)).count();
+
+	constexpr static bool isValid(const std::size_t length) noexcept
+	{
+		return length >= MIN_PACKET_SIZE && length <= MAX_PACKET_SIZE;
+	}
+
+	constexpr void insert(
+		const std::size_t length,
+		const amon::types::Timestamp timestamp,
+		const Direction direction) noexcept
+	{
+		timestamps.resize(length - MIN_PACKET_SIZE);
+		timestamps[length - MIN_PACKET_SIZE][direction] = timestamp;
+	}
+
+	constexpr bool hasSimilarPacketsRecently(
+		const std::size_t length,
+		const std::size_t maxSizeDiff,
+		const amon::types::Timestamp now,
+		const Direction direction) noexcept
+	{
+		const std::size_t endIndex = length - MIN_PACKET_SIZE;
+		const std::size_t startIndex = endIndex > maxSizeDiff ? endIndex - maxSizeDiff : 0;
+
+		for (std::size_t i = startIndex; i <= endIndex; ++i) {
+			if (now.nanoseconds() > timestamps[i][direction].nanoseconds()
+				&& (now.nanoseconds() - timestamps[i][direction].nanoseconds())
+					< MAX_PACKET_TIMEDIFF_NS) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
+	void clear() noexcept { timestamps.clear(); }
+
+private:
+	std::vector<DirectionalField<amon::types::Timestamp>> timestamps;
+};
+
+} // namespace ipxp::process::ssaDetector

src/plugins/process/ssaDetector/src/ssaDetector.cpp

@@ -0,0 +1,205 @@
+/**
+ * @file
+ * @brief Plugin for parsing basicplus traffic.
+ * @author Jiri Havranek <[email protected]>
+ * @author Pavel Siska <[email protected]>
+ * @date 2025
+ *
+ * Copyright (c) 2025 CESNET
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include "ssaDetector.hpp"
+
+#include "ssaDetectorGetters.hpp"
+
+#include <iostream>
+
+#include <fieldGroup.hpp>
+#include <fieldManager.hpp>
+#include <flowRecord.hpp>
+#include <ipfixprobe/options.hpp>
+#include <pluginFactory.hpp>
+#include <pluginManifest.hpp>
+#include <pluginRegistrar.hpp>
+#include <utils.hpp>
+
+namespace ipxp::process::ssaDetector {
+
+static const PluginManifest ssaDetectorPluginManifest = {
+	.name = "ssadetector",
+	.description = "Ssadetector process plugin for parsing vpn_automaton traffic.",
+	.pluginVersion = "1.0.0",
+	.apiVersion = "1.0.0",
+	.usage =
+		[]() {
+			OptionsParser parser(
+				"ssadetector",
+				"Check traffic for SYN-SYNACK-ACK sequence to find possible network tunnels.");
+			parser.usage(std::cout);
+		},
+};
+
+static FieldGroup createSSADetectorSchema(
+	FieldManager& fieldManager,
+	FieldHandlers<SSADetectorFields> handlers) noexcept
+{
+	FieldGroup schema = fieldManager.createFieldGroup("ssadetector");
+
+	handlers.insert(
+		SSADetectorFields::SSA_CONF_LEVEL,
+		schema.addScalarField("SSA_CONF_LEVEL", getSSAConfLevelField));
+	return schema;
+}
+
+SSADetectorPlugin::SSADetectorPlugin(
+	[[maybe_unused]] const std::string& params,
+	FieldManager& manager)
+{
+	createSSADetectorSchema(manager, m_fieldHandlers);
+}
+
+void SSADetectorPlugin::updatePacketsData(
+	const amon::Packet& packet,
+	const Direction direction,
+	SSADetectorContext& ssaContext) noexcept
+{
+	const std::optional<std::size_t> ipPayloadLength = getIPPayloadLength(packet);
+
+	if (!ipPayloadLength.has_value() || !PacketStorage::isValid(*ipPayloadLength)) {
+		return;
+	}
+
+	constexpr std::size_t MaxSynToSynAckSizeDiff = 12;
+	const bool foundTCPHandshake
+		= ssaContext.processingState.synAckPackets.hasSimilarPacketsRecently(
+			*ipPayloadLength,
+			MaxSynToSynAckSizeDiff,
+			packet.timestamp,
+			static_cast<Direction>(!direction));
+
+	if (foundTCPHandshake) {
+		ssaContext.processingState.synPackets.clear();
+		ssaContext.processingState.synAckPackets.clear();
+		ssaContext.processingState.suspects++;
+		if (ssaContext.processingState.suspectLengths.size()
+			!= ssaContext.processingState.suspectLengths.capacity()) {
+			ssaContext.processingState.suspectLengths.push_back(*ipPayloadLength);
+		}
+		return;
+	}
+
+	constexpr std::size_t MaxSynAckToSynSizeDiff = 10;
+	const bool correspondingSynFound
+		= ssaContext.processingState.synPackets.hasSimilarPacketsRecently(
+			*ipPayloadLength,
+			MaxSynAckToSynSizeDiff,
+			packet.timestamp,
+			static_cast<Direction>(!direction));
+	if (correspondingSynFound) {
+		ssaContext.processingState.synAckPackets.insert(
+			*ipPayloadLength,
+			packet.timestamp,
+			direction);
+	}
+
+	ssaContext.processingState.synPackets.insert(*ipPayloadLength, packet.timestamp, direction);
+}
+
+OnInitResult SSADetectorPlugin::onInit(const FlowContext& flowContext, void* pluginContext)
+{
+	constexpr std::size_t MIN_FLOW_LENGTH = 30;
+	if (flowContext.flowRecord.directionalData[Direction::Forward].packets
+			+ flowContext.flowRecord.directionalData[Direction::Reverse].packets
+		< MIN_FLOW_LENGTH) {
+		return OnInitResult::PendingConstruction;
+	}
+
+	auto& ssaContext = *std::construct_at(reinterpret_cast<SSADetectorContext*>(pluginContext));
+	updatePacketsData(*flowContext.packetContext.packet, flowContext.packetDirection, ssaContext);
+
+	return OnInitResult::ConstructedNeedsUpdate;
+}
+
+OnUpdateResult SSADetectorPlugin::onUpdate(const FlowContext& flowContext, void* pluginContext)
+{
+	auto& ssaContext = *reinterpret_cast<SSADetectorContext*>(pluginContext);
+	updatePacketsData(*flowContext.packetContext.packet, flowContext.packetDirection, ssaContext);
+
+	return OnUpdateResult::NeedsUpdate;
+}
+
+constexpr static double calculateUniqueRatio(auto&& container) noexcept
+{
+	std::sort(container.begin(), container.end());
+	auto last = std::unique(container.begin(), container.end());
+	return static_cast<double>(std::distance(container.begin(), last)) / container.size();
+}
+
+OnExportResult SSADetectorPlugin::onExport(const FlowRecord& flowRecord, void* pluginContext)
+{
+	auto& ssaContext = *reinterpret_cast<SSADetectorContext*>(pluginContext);
+	// do not export for small packets flows
+	constexpr double HIGH_NUM_SUSPECTS_MAX_RATIO = 0.2;
+
+	const std::size_t packetsTotal = flowRecord.directionalData[Direction::Forward].packets
+		+ flowRecord.directionalData[Direction::Reverse].packets;
+	constexpr std::size_t MIN_PACKETS = 30;
+	if (packetsTotal <= MIN_PACKETS) {
+		return OnExportResult::Remove;
+	}
+
+	constexpr std::size_t MIN_SUSPECTS_COUNT = 3;
+	if (ssaContext.processingState.suspects < MIN_SUSPECTS_COUNT) {
+		return OnExportResult::Remove;
+	}
+
+	constexpr std::size_t MIN_SUSPECTS_RATIO = 2500;
+	if (double(packetsTotal) / double(ssaContext.processingState.suspects) > MIN_SUSPECTS_RATIO) {
+		return OnExportResult::Remove;
+	}
+
+	const double uniqueRatio = calculateUniqueRatio(ssaContext.processingState.suspectLengths);
+	constexpr std::size_t LOW_NUM_SUSPECTS_THRESHOLD = 15;
+	constexpr double LOW_NUM_SUSPECTS_MAX_RATIO = 0.6;
+	if (ssaContext.processingState.suspects < LOW_NUM_SUSPECTS_THRESHOLD
+		&& uniqueRatio > LOW_NUM_SUSPECTS_MAX_RATIO) {
+		return OnExportResult::Remove;
+	}
+
+	constexpr std::size_t MID_NUM_SUSPECTS_THRESHOLD = 40;
+	constexpr double MID_NUM_SUSPECTS_MAX_RATIO = 0.4;
+	if (ssaContext.processingState.suspects < MID_NUM_SUSPECTS_THRESHOLD
+		&& uniqueRatio > MID_NUM_SUSPECTS_MAX_RATIO) {
+		return OnExportResult::Remove;
+	}
+
+	if (uniqueRatio > HIGH_NUM_SUSPECTS_MAX_RATIO) {
+		return OnExportResult::Remove;
+	}
+
+	ssaContext.confidence = 1;
+	m_fieldHandlers[SSADetectorFields::SSA_CONF_LEVEL].setAsAvailable(flowRecord);
+	return OnExportResult::NoAction;
+}
+
+void SSADetectorPlugin::onDestroy(void* pluginContext) noexcept
+{
+	std::destroy_at(reinterpret_cast<SSADetectorContext*>(pluginContext));
+}
+
+PluginDataMemoryLayout SSADetectorPlugin::getDataMemoryLayout() const noexcept
+{
+	return {
+		.size = sizeof(SSADetectorContext),
+		.alignment = alignof(SSADetectorContext),
+	};
+}
+
+static const PluginRegistrar<
+	SSADetectorPlugin,
+	PluginFactory<ProcessPlugin, const std::string&, FieldManager&>>
+	ssaDetectorRegistrar(ssaDetectorPluginManifest);
+
+} // namespace ipxp::process::ssaDetector